CVE-2023-53819

Vulnerability

In the Linux kernel's AMDGPU driver, the drm_amdgpu_gem_va IOCTL did not properly validate the offset_in_bo parameter. When offset_in_bo combined with map_size overflows, it leads to an out-of-bounds (OOB) access in the amdgpu_vm_update_range function. This flaw was introduced because the validation was missing in the amdgpu_vm_bo_map and amdgpu_vm_bo_replace_map functions, which are called during GPU virtual address (VA) mapping operations [1][2].

Exploitation

An attacker with local access and the ability to submit DRM_IOCTL_AMDGPU_GEM_VA calls can trigger the overflow by crafting a large offset_in_bo value and map_size. No special privileges beyond standard user-space access to the AMDGPU device are required, as the IOCTL is available to unprivileged processes that can open the /dev/dri/renderD* device. The attack surface is limited to systems with AMD Radeon graphics hardware and the amdgpu` kernel module loaded [3].

Impact

Successful exploitation results in an out-of-bounds memory access within the kernel, which can cause a denial of service (system crash or hang) or potentially allow an attacker to corrupt kernel memory, leading to privilege escalation. The vulnerability is classified as a high-severity issue due to the possibility of arbitrary code execution in kernel context [4].

Mitigation

The fix was applied in Linux kernel stable releases. The patch adds validation of offset_in_bo in the amdgpu_vm_bo_map and amdgpu_vm_bo_replace_map functions to prevent the overflow. Users should update their kernel to a version containing the commit d83c337e654d or later. No workaround is available other than applying the patch [1][2].